Here's something that has always baffled me. Why is it bad to have open ports on your computer? Assuming you don't have a virus on your computer or some other program listening to a port that may actually do something why does it matter if a port is open? If some malicious person starts sending packets to a port, but nothing is there to receive the data and do something with it why does it matter? A computer doesn't just arbitrarly execute any data it receives. I understand flooding a computer with packets could cause it to crash because it just can't deal with the amount of data, but I'm only considering security issues that actually change the files on the computer.

Update

Thanks for the replies so far. I understand now, that a port being open actually means there is a program that can be exploited listening on that port. But why is it so hard to write software that can't be exploited? To do any real harm to a computer wouldn't a program have to allow one or more files to be uploaded, and then one of those files would need to be executed. It seems like that would be incredibly hard to allow accidentally.

8 Answers
8

A port isn't open if something isn't listening for a connection on it.

The reason it is bad form to have all ports open to everywhere is that it exposes those services that are listening on those ports to exploits. That is why firewalls exist, to limit what is allowed to connect to certain ports, to reduce the surface area exposed by services.

EDIT

To address your question about why people can't just write software that isn't exploitable:

This is fairly easy for simple programs, but many programs that require a socket are complex. As such, they have many components, many of which aren't even written by the developer most likely (included libraries). You cannot rely on other people to keep your network secure when there are hardening methods you can use yourself, such as firewalls.

Arbitrary/remote code execution is a huge risk, as you have pointed out. Unfortunately buffer overflows and other security flaws that allow it are common. Look at any Microsoft security update and I'll bet it patches either remote code execution or elevation of privileges, and MS is a huge company with hundreds of developers and billions of dollars.

Just adding: If you for example know that a service has a bug which can be used to infiltrate code or whatever and you actually see that this service is running, this is an open invitation ;)
– FelixDec 13 '09 at 0:32

Thanks for the replies so far. I understand now, that a port being open actually means there is a program that can be exploited listening on that port. But why is it so hard to write software that can't be exploited? To do any real harm to a computer wouldn't a program have to allow one or more files to be uploaded, and then one of those files would need to be executed. It seems like that would be incredibly hard to allow accidentally.

It's very difficult to write software that can't be exploited!

I have read the book Building Secure Software and one things it discussed was exploiting stack overflows. There were two very scary facts in there:

For a program to have an exploitable stack overflow bug is very easy to do, especially when the program is written in C. In the C programming language, many functions are not safe by default and the programmer either needs to know to avoid the vulnerable functions, or has to take special actions to be safe.

The exploit a hacker needs to use is short - very short. It was less than half a page of assembly language, which translates to 100 or so (guess) bytes of machine code. This exploit code is sufficient to give the hacker shell(command prompt) access to your machine. No big file upload and execution required - just a tiny piece of code that can be inserted into the middle of legitimate data.

So if a hacker can find a program that (a) has a stack overflow bug that is (b) exploitable over a network and (c) has a couple 100 bytes spare in its buffer, then your computer is pwned. Fortunately knowledge about stack overflow bugs is fairly common knowledge now, but they do still pop up. 5 years ago and longer this was a much more frequent problem.

Going back to your original question, you should avoid open ports to avoid any accident with an exploitable bug in a program. You now have a second reason: the remote shell that a hacker would then use is another open port. If you have a firewall that is blocking everything except that you have specifically allowed, you would also block that remote shell (although a hacker would still be able to do other nasty things to your computer, so don't be complacent!)

Open port: When anyone asks, the computer responds that there is a service listening on this port. This means anything coming to this port will get processed by a program (a service) running on that computer.

Closed port: When anyone asks, the computer responds that there are no services listening on that port. The akser will know there is a computer responding at the address.

Stealth port: When anyone asks, they get no reply. The point is to hide if there is a computer at the address at all. It might not be very effective, though, as joschi poits out in the comments.

If you have an open port, you are safe provided the program processing the incoming stuff has no available exploits. But exploits are found all the time, and it's good to know that there are a lot of port scans travelling around the net, looking for targets.

Closed ports still respond to the akser, so possible attacker knows to proceed checking other ports. Then again, this is how the internet is specificed to work. While stealth ports attempt to not give the potential attacker any information, in theory they break the specification.

From a security point of view, any open port is a huge gaping hole, since code is being used to process foreign data. What a firewall (or a NAT router) does is make sure no incoming traffic gets to your computer, even if the system has some open ports. This way, they effectively close all ports.

Your definition of a "stealth port" is wishful thinking. Actually an attacker knows that there is a computer if he doesn't receive any answer. If there was no computer on that particular IP address, the preceeding router would send a message about that. With "stealth ports" that does not happen...
– joschiDec 13 '09 at 12:28

@joschi: Well, it's a concept that I've seen around the internet, so I think it's good to define it. You make a good point, though. I edited the answer to reflect your comment. At least it makes the target IP look like it's behind a NAT router, I guess. I've never been a fan of the concept myself: If you have open ports, you should make sure they're running a secure service. And if you have no open ports, there's no problem telling the net that you exist. Stealth smells like security hype to me.
– Ilari KajasteDec 13 '09 at 13:38

joschi: not all routers do that. many routers simply forward blindly to IP addresses where there is no system. connection attempts time out simply because the client gets bored of trying to do a three way handsake.
– bencDec 14 '09 at 7:04

Assuming you don't have a virus on your computer or some other program
listening to a port that may actually
do something why does it matter if a
port is open? If some malicious person
starts sending packets to a port, but
nothing is there to receive the data
and do something with it why does it
matter?

I'm no security export, but I did a little research... An "open" port is a port that is set up to accept an incoming TCP connection.

If you have apps listening only on ports 9, 21, and 80, and your firewall blocks access to those three ports, you technically have no ports open. IOW, port 25, for instance, is not open because nothing is listening on it.

To answer your question: The reason it is bad to have open ports on your computer is because these ports can easily be discovered, and once discovered these ports are now susceptible to vulnerabilities of the listening applications.

ICMP doesn't use a port, it is a layer 3 protocol that is included in the IP suite of protocols.
– MDMarraDec 13 '09 at 1:59

1

The only reason that I say it is that it is very important in reference to firewalls (which this is indirectly about). TCP is stateful, and thus connections are remembered, where UDP is not. Many times this means ports must be open for return UDP traffic which is initiated internally where this does not need to happen for TCP connections that are established internally.
– MDMarraDec 13 '09 at 4:13

i lock my doors & windows 'cause it's cold outside. what does this question have to do with insulation?
– quack quixoteDec 13 '09 at 3:36

2

Do your doors and windows not insulate if they are only closed? Does the extra bolt really provide that much more insulation.
– DentrasiDec 13 '09 at 22:32

Good point, but it's worth noting that not everyone locks their doors and windows at home. This could be "Not everyone wants to protect their property" or "Not everyone likes to live in a culture of fear", depending on your viewpoint.
– Ilari KajasteDec 14 '09 at 9:32

Let's just say that open ports are like open window and open door but when your windows is open a robber or a rat and a spider can get in #please tell me if I am dumb or
asinine
Edited no asinine
Open ports are like open window but in the internet there is an open port I guess also closed port are closed windows without it we can not connect or browse I guess just like HTTP and SSH or FTP without it we can't connect cause it's a client it's just TCP Connection

Im no security expert

Open ports are required to offer services. Just one out of a zillion possible examples: Gmail uses an open port (443 for their website using HTTPS). But it asks you to log in before showing anything.
– ArjanJan 21 '17 at 17:37